Conducting a Business Impact Analysis

Status: Live

The organization will conduct regular reviews of the organizational mission and business impact analysis, prioritizing each business unit, process, and transactions according importance and risk. [UCF ID 01147]

Supporting and supported controls

This control directly supports:

Correlate risk assessment to business impact [UCF Control ID 00686]

This control has the following supporting controls:

Reviewing past audit reports [UCF Control ID 01148]

Reviewing risk of losing audit personnel [UCF Control ID 01153]

Reviewing risk to the audit program because of changes in service providers and vendors [UCF Control ID 01154]

Ensuring tolerance to downtime is a part of the BIA [UCF Control ID 01172]

Reviewing published guidance, training, and awareness programs currently in place. [UCF Control ID 01245]

Authority documents complied with:

FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 8 thru Pg 10, Pg D-2, Pg D-5, Pg D-6, Pg F-1, Exam Tier I Obj 2.1, Exam Tier I Obj 2.5, Exam Tier I Obj 8.4; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 36; CMS Core Security Requirements (CSR), Draft, § 5.2.7; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(7)(i), § 164.310(a)(2)(i), § 164.312(a)(2)(ii); Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, June 2002, § 3.2; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.2 Process, Stage 1.1 Process; The Standard of Good Practice for Information Security, CI2.3.5; Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.3.3; OGC ITIL: Security Management, § 2.2.4; Australia Better Practice Guide - Business Continuity Management, January 2000, Pg 13 ¶ 4 thru Pg 13 ¶ 6, Pg 36

Banking and Finance Guidance

The organization should conduct a Business Impact Analysis (BIA) as part of the continuity planning process. The BIA should assess and prioritize all functions and processes that must be recovered; identify the impact of nonspecific events on the functions and processes; assess the impact of regulatory and legal requirements; estimate the maximum allowable downtime; consider the impact of a pandemic; and be evaluated during the risk assessment; be tested and incorporated into the continuity plan; and be reviewed and updated regularly. A copy of the BIA should be maintained offsite. [Pg 8 thru Pg 10, Pg D-2, Pg D-5, Pg D-6, Pg F-1, Exam Tier I Obj 2.1, Exam Tier I Obj 2.5, Exam Tier I Obj 8.4, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

A business impact analysis should be conducted on the e-banking services to determine the minimum level of required service and recovery-time objectives. [Pg 36, FFIEC IT Examination Handbook – E-Banking, August 2003]

Healthcare and Life Science Guidance

[§ 5.2.7, CMS Core Security Requirements (CSR), Draft]

[§ 164.308(a)(7)(i), § 164.310(a)(2)(i), § 164.312(a)(2)(ii), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

NIST Guidance

An organization is required to conduct a business impact analysis. This should be headed up by the contingency plan coordinator. The goal of the business impact analysis is to match up system components with the critical services they offer, then determine the consequences of a disruption to these system components. [§ 3.2, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, June 2002]

ITIL Guidance

[§ 2.2.4, OGC ITIL: Security Management]

General Guidance

1.2 Process BIA talks about conducting a business impact analysis. The following steps are required:
Identify discrete business processes across the organization and management owners of these processes
Identify suitable staff from whom information can be sought about the business processes - subject matter experts
Identify the impacts which may result in damage to the organization’s reputation, assets or financial position
Quantify the time scale within which the interruption of each business function becomes unacceptable to the organization.
1.1 Process talks about conducting a business impact analysis to identify how a variety of threats may affect the organization. Threats include:
Loss of staff
Loss of location (single and/or multiple)
Telecommunications failure
Computer system failure (component and/or total)
Equipment failure (e.g. depending on industry: building management systems, manufacturing capacity)
Supplier failure [Stage 1.2 Process, Stage 1.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Software vulnerabilities should be identified and evaluated to determine applicability and business impact to the organization. [CI2.3.5, The Standard of Good Practice for Information Security]

[Ch 5.3.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

Asia and Pacific Rim Guidance

Pg 13 ¶ 4 thru 6 says that when analyzing the impact of an outage focus should be placed on consequences. Ideally, use bottom-up and top down approaches to business continuity management. Bottom-up approaches begin with the idea ‘what happens if controls fail?’ and then works from there towards controls. Top down management begins with consideration of likelihood and cause of an outage.
Pg 36 talks about conducting a business impact analysis. For this process, all key business processes should be documented, activities and resources critical to key business processes should be identified along with interdependencies between resources. All business processes and activities should be ranked. Operational and financial impacts of an outage should be considered, and each potential risk should be considered based on its likelihood of occurrence. [Pg 13 ¶ 4 thru Pg 13 ¶ 6, Pg 36, Australia Better Practice Guide - Business Continuity Management, January 2000]